Conversion: thunk and Dep

 

From: http://blog.csdn.net/yaosan/archive/2008/06/10/2533545.aspx

 

 

A few days ago, the blog said that ATL uses thunk for message distribution. At that time, I felt awkward: Stack, can the memory on the stack be executed? Is it possible to execute code segments? When is the protection bit set? I did not go into details later. I have to change this problem later. I cannot leave my questions aside. I must face it!

When I get up early in the morning, my comments from the double-cup wine show me that I have an answer to the above URL. Thank you!

 

 

Thunk and Dep

What is thunk?

The thunk technique stores the bytes corresponding to a machine code in a continuous memory structure, and forcibly converts the pointer into a function, that is, it is used as a function for execution.

What is dep?

Data Execution Protection (DEP) is a set of hardware and software technologies that can perform additional checks on the memory to help prevent malicious code from running on the system. In Microsoft Windows XP Service Pack 2, Microsoft Windows Server 2003 Service Pack 1, Microsoft Windows XP Tablet PC Edition 2005, and Microsoft Windows Vista, DEP is enforced by hardware and software.

The main advantage of DEP is that it can help prevent code execution on data pages. Generally, code is not executed from the default heap and stack. The hardware implements Dep detection of code running from these locations and raises exceptions when detecting execution. Software Implementation Dep can help prevent malicious code from using the Exception Handling Mechanism in Windows for destruction.

Hardware Implementation DEP is a feature of some Dep compatible processors that prevents code execution in the memory area marked as a data storage area. This function is also called non-execution and execution protection. Windows XP SP2 also includes software implementation DEP, which aims to reduce the use of the exception handling mechanism in windows.

I am using thunk Process

I saw a lot of thunk code on vckbae the other day and used it on the project. The program tested everything on my computer and put it on the server (Microsoft Windows Server 2003 Service Pack 2, I got down. I was puzzled. I mounted the VC on the server and started debugging. The problem found thunk,

Look for the information. I found the problem only after 2 days, on Windows XP SP2, the default value is "enable Dep only for basic Windows programs and services" on Microsoft Windows Server 2003 Service pack2 by default. It is enabled for all programs and services except the following selected programs dep"

Where can I view the DEP settings?

My computer-> properties-> advanced-> Performance-> Settings-> Data Execution Protection (SEE)

If you see that "your computer's processor does not support hardware-based dep. However, Windows can use the DEP software to protect against certain types of attacks ." It means that the "enable DEP for all programs and services except the following selected programs" thunk program can run well, but the new CPU supports hardware dep.

In Microsoft Windows Server 2003 Service pack2, I changed it to "only enable DEP for basic Windows programs and services". Thunk runs normally.

Is the problem solved?

Of course it has not been solved yet. I know that wtl also uses thunk technology, so we use wtl to generate a dialog program and set Dep to the default one on Microsoft Windows Server 2003 Service pack2, run the wtl dialog and run it. Thunk is also used. What is the reason? Check the ATL code.

Result = isprocessorfeaturepresent (12/* pf_nx_enabled */);

Determine processor features

True if result is returned

Thunkpage = (patl_thunk_entry) virtualalloc (null,

Page_size,

Mem_commit,

Page_execute_readwrite );

Use virtualalloc [page_execute_readwrite] to allocate thunk CODE memory,

The problem is solved here.

The attachment code tunk code is in the callbacktemplate. h and callbacktemplate. cpp files.

This article from the csdn blog, reproduced please indicate the source: http://blog.csdn.net/yaosan/archive/2008/06/10/2533545.aspx

 

The following is a supplement:

The real code of the above pseudo code is as follows: (allocate a new page of executable memory !!!)

Pvoid <br/>__ allocstdcallthunk_cen (<br/> void <br/>) <br/>/* ++ <br/> routine description: <br/> This function is called by ATL to allocate a thunk structure from <br/> executable memory. <br/> arguments: <br/> none. <br/> return value: <br/> Returns a pointer to a thunk structure on success. raises an exception <br/> On failure. <br/> -- */<br/> {<br/> patl_thunk_entry lastthunkentry; <br/> patl_thu Nk_entry thunkentry; <br/> pvoid thunkpage; <br/> // perform initialization if this is the first time through. <br/> // <br/> If (_ atlthunkpool = NULL) {<br/> If (_ initializethunkpool () = false) {<br/> goto outofmemory; <br/>}< br/> If (atlthunk_use_heap ()) {<br/> // on a non-NX capable platform, use the standard heap. <br/> // <br/> thunkentry = (patl_thunk_entry) Heapalloc (getprocessheap (), <br/> 0, <br/> sizeof (ATL: _ stdcallthunk); <br/> If (thunkentry = NULL) {<br/> goto outofmemory; <br/>}< br/> return thunkentry; <br/>}< br/> // <br/> // attempt to pop a thunk structure from the list and return it <br/> // <br/> thunkentry = (patl_thunk_entry) _ atlinterlockedpopentryslist (_ atlthunkpool); <br/> If (thunkentry! = NULL) {<br/> return & thunkentry-> thunk; <br/>}< br/> // <br/> // The thunk list was empty. allocate a new page of executable <br/> // memory. <br/> // <br/> thunkpage = (patl_thunk_entry) virtualalloc (null, <br/> page_size, <br/> mem_commit, <br/> page_execute_readwrite ); <br/> If (thunkpage = NULL) {<br/> goto outofmemory; <br/>}< br/> // <br/> // see if another thread has replenished the Po Ol while we were off <br/> // allocating memory. this does not close the window but makes it much <br/> // smaller. <br/> // The volatile reference moves the overhead of making the page present <br/> // outside of the window. <br/> // <br/> * (DWORD volatile *) thunkpage; <br/> thunkentry = (patl_thunk_entry) _ atlinterlockedpopentryslist (_ atlthunkpool ); <br/> If (thunkentry! = NULL) {<br/> // the pool has been replenished. free the page and use the thunk <br/> // entry that we just initialized ed. <br/> // <br/> virtualfree (thunkpage, 0, mem_release); <br/> return thunkentry; <br/>}< br/> // <br/> // create an array of thunk structures on the page and insert all but <br/> // The last into free thunk list. <br/> // The last is kept out of the list and represents the thunk allocation. <br/> // <br/> thunkentry = (patl_thunk_entry) thunkpage; <br/> lastthunkentry = thunkentry + atl_thunks_per_page-1; <br/> do {<br/> _ atlinterlockedpushentryslist (_ atlthunkpool, & thunkentry-> slistentry); <br/> thunkentry + = 1; <br/>}while (thunkentry <lastthunkentry); <br/> return thunkentry; <br/> outofmemory: <br/> return NULL; <br/>} 

Dep is described as follows in the XP Help document:

 

Measure the test taker's understanding about Data Execution Protection.

Data Execution Protection helps protect your computer from viruses and other security threats. These viruses and threats attempt to run (execute) malicious code from the protected memory location to initiate attacks, but only
Windows
And other programs should use these locations. This threat takes over one or more memory locations being used by the program to perform the destruction operation. It will then spread to destroy other programs, files, and even your email contacts.

Unlike firewalls or anti-virus programs, DEP cannot help prevent harmful programs from being installed on computers, but monitors your programs to determine whether they can safely use system memory. To perform monitoring, Dep
The software can run independently or collaborate with compatible microprocessors to mark some memory locations as "unexecutable ". If the program tries to run code (whether malicious or not) from a protected memory location, Dep
Will close the program and send you a notification.

Dep can utilize software and hardware support. To use DEP, your computer must run Microsoft Windows XP Service Pack 2
(SP2) or later, or Windows
Server 2003 Service Pack 1 or later. When the DEP software runs independently, it can help defend against some types of malicious code attacks, but it must make full use of dep.
The protection function that can be provided. Your processor must support the "execute protection" function. Execution Protection is a hardware-based technique used to mark the memory location as "unexecutable ". If your processor does not support hardware-based
Dep, you 'd better upgrade it to a processor capable of providing protection.

Is it safe to run the program closed by Dep again?

Security, but only if you want to enable DEP for this program. Windows
It can continue to detect attempts to execute code from protected memory locations and help prevent attacks. If the program cannot run properly after DEP is enabled, you can obtain
Compatible program version to reduce security risks. For details about how to operate after Dep closes the program, click related topics ".

How do I determine if DEP is enabled on my computer?

1. To Open System Properties, click Start and control panel, and then double-click system ".
2. Click the "advanced" tab, and then click "Settings" under "performance ".
3. Click the Data Execution Protection tab.

Note:

• By default, DEP is only enabled for basic Windows operating system programs and services. Dep
  To help protect other programs, select "enable DEP for all programs other than the following ".